HKSM

A rapid, expert-driven process to rate and prioritize identified risks by their likelihood, impact, and other attributes so the team knows where to focus response planning.

Purpose & When to Use

• Prioritize individual risks so the team focuses on the most significant threats and opportunities first.
• Screen risks for urgency, detectability, and manageability to guide near-term actions.
• Support clear communication with stakeholders by using agreed rating scales and a risk matrix.
• Use after risks are identified and repeat regularly, especially after major changes, phase gates, or new discoveries.
• Prepares inputs for planning risk responses; it does not calculate reserves or run simulations.

Mini Flow (How It’s Done)

• Set the ground rules: confirm probability and impact scales, define what “high,” “medium,” and “low” mean, and share the risk matrix.
• Gather inputs: risk register, assumptions and constraints, stakeholder risk attitudes, and context from the plan.
• Engage the right people: team members, subject-matter experts, and key stakeholders with relevant knowledge.
• Rate each risk: assess probability and impact, and capture a simple score if used (for example, P × I) for quick sorting.
• Assess additional attributes: urgency or proximity, detectability, controllability, and potential to aggregate with other risks.
• Categorize risks: group by source, root cause, or project area to spot patterns and systemic drivers.
• Check data quality: verify clarity of the risk statement, source reliability, and whether more information is needed.
• Prioritize and shortlist: flag high-priority risks for immediate response planning; place low-priority items on a watch list.
• Assign owners and next steps: document the owner, due dates, and whether escalation or further analysis is needed.
• Update the risk register and communicate results: record ratings, rationale, owners, and the plan for re-assessment.

Quality & Acceptance Checklist

• Probability and impact scales are defined, agreed, and consistently applied.
• The risk matrix and rating criteria reflect stakeholder risk appetite and thresholds.
• Each risk has a clear statement, cause, and potential effect documented.
• Ratings include probability, impact, and at least one additional attribute (such as urgency or detectability) where relevant.
• Rationale for ratings is recorded to support transparency and future reviews.
• High-priority risks have owners and immediate next actions identified.
• Low-priority risks are placed on a watch list with a review date.
• Data quality was checked; unclear or weakly supported risks are flagged for follow-up.
• Updates are reflected in the risk register and communicated to stakeholders.
• A re-assessment cadence is agreed and scheduled.

Common Mistakes & Exam Traps

• Confusing qualitative with quantitative analysis; qualitative ranks and prioritizes, while quantitative models numbers and reserves.
• Ignoring opportunities; apply the same rigor to positive risks as to threats.
• Using inconsistent scales across sessions, making results not comparable.
• Rating risks assuming future responses are already in place; rate based on current situation and existing controls only.
• Skipping data quality checks, which leads to false precision and poor priorities.
• Doing it once and never revisiting; re-assess after major changes or new risks.
• Excluding key stakeholders or experts, which introduces bias and blind spots.
• Jumping straight to detailed response planning without first prioritizing.

PMP Example Question

During a risk workshop, the team debates whether to run a simulation before assigning risk owners. What should the project manager do next?

1. Run a Monte Carlo simulation to estimate overall schedule risk.
2. Perform qualitative risk analysis to prioritize risks and assign owners.
3. Develop contingency reserves based on historical reserves from similar projects.
4. Close all low-impact risks to simplify the register.

Correct Answer: B — Perform qualitative risk analysis to prioritize risks and assign owners.

Explanation: Qualitative analysis comes first to rank risks and focus efforts. Simulation is part of quantitative analysis and is typically performed after prioritization.